marcel/mealprep
1
0
Fork 0
Code Issues 22 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(join): A4 — Join household (accept invite) #61

Merged
marcel merged 24 commits from feat/issue-21-join-household into master 2026-04-19 14:29:14 +02:00
Conversation 6 Commits 24 Files Changed 25 +1052 -107
25 changed files with 1052 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
backend/Dockerfile
View File

@@ -7,6 +7,7 @@ COPY src src
RUN ./mvnw package -DskipTests -B RUN ./mvnw package -DskipTests -B
FROM eclipse-temurin:21-jre-alpine FROM eclipse-temurin:21-jre-alpine
RUN apk add --no-cache libwebp
WORKDIR /app WORKDIR /app
COPY --from=build /app/target/*.jar app.jar COPY --from=build /app/target/*.jar app.jar
EXPOSE 8080 EXPOSE 8080

29
backend/src/main/java/com/recipeapp/auth/AuthController.java
View File

@@ -7,15 +7,10 @@ import jakarta.servlet.http.HttpSession;
import jakarta.validation.Valid; import jakarta.validation.Valid;
import org.springframework.http.HttpStatus; import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity; import org.springframework.http.ResponseEntity;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.web.bind.annotation.*; import org.springframework.web.bind.annotation.*;
import java.security.Principal; import java.security.Principal;
import java.util.List;
@RestController @RestController
@RequestMapping("/v1/auth") @RequestMapping("/v1/auth")
@@ -32,7 +27,7 @@ public class AuthController {
@Valid @RequestBody SignupRequest request, @Valid @RequestBody SignupRequest request,
HttpServletRequest httpRequest) { HttpServletRequest httpRequest) {
UserResponse user = authService.signup(request); UserResponse user = authService.signup(request);
authenticateInSession(user.email(), "user", httpRequest); authService.authenticateInSession(user.email(), "user", httpRequest);
return ResponseEntity.status(HttpStatus.CREATED).body(ApiResponse.success(user)); return ResponseEntity.status(HttpStatus.CREATED).body(ApiResponse.success(user));
} }
@@ -41,30 +36,10 @@ public class AuthController {
@Valid @RequestBody LoginRequest request, @Valid @RequestBody LoginRequest request,
HttpServletRequest httpRequest) { HttpServletRequest httpRequest) {
UserResponse user = authService.login(request); UserResponse user = authService.login(request);
// Session fixation protection: invalidate old session before creating new one authService.authenticateInSession(user.email(), user.systemRole() != null ? user.systemRole() : "user", httpRequest);
var oldSession = httpRequest.getSession(false);
if (oldSession != null) {
oldSession.invalidate();
}
authenticateInSession(user.email(), user.systemRole() != null ? user.systemRole() : "user", httpRequest);
return ResponseEntity.ok(ApiResponse.success(user)); return ResponseEntity.ok(ApiResponse.success(user));
} }
/**
* Creates an authenticated Spring Security context and stores it in the HTTP session
* so that subsequent requests from the same session are recognised as authenticated.
* We do this manually because we are not using Spring Security's built-in form login.
*/
private void authenticateInSession(String email, String role, HttpServletRequest request) {
var auth = UsernamePasswordAuthenticationToken.authenticated(
email, null, List.of(new SimpleGrantedAuthority("ROLE_" + role.toUpperCase())));
SecurityContext context = SecurityContextHolder.createEmptyContext();
context.setAuthentication(auth);
SecurityContextHolder.setContext(context);
request.getSession(true).setAttribute(
HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, context);
}
@PostMapping("/logout") @PostMapping("/logout")
public ResponseEntity<Void> logout(HttpServletRequest httpRequest) { public ResponseEntity<Void> logout(HttpServletRequest httpRequest) {
HttpSession session = httpRequest.getSession(false); HttpSession session = httpRequest.getSession(false);

26
backend/src/main/java/com/recipeapp/auth/AuthService.java
View File

@@ -7,10 +7,18 @@ import com.recipeapp.common.ResourceNotFoundException;
import com.recipeapp.common.ValidationException; import com.recipeapp.common.ValidationException;
import com.recipeapp.household.HouseholdMemberRepository; import com.recipeapp.household.HouseholdMemberRepository;
import com.recipeapp.household.entity.HouseholdMember; import com.recipeapp.household.entity.HouseholdMember;
import jakarta.servlet.http.HttpServletRequest;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.stereotype.Service; import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional; import org.springframework.transaction.annotation.Transactional;
import java.util.List;
@Service @Service
public class AuthService { public class AuthService {
@@ -82,6 +90,24 @@ public class AuthService {
return UserResponse.basic(user.getId(), user.getEmail(), user.getDisplayName()); return UserResponse.basic(user.getId(), user.getEmail(), user.getDisplayName());
} }
/**
* Establishes an authenticated Spring Security session for the given user.
* Invalidates any existing session first (session fixation protection).
*/
public void authenticateInSession(String email, String role, HttpServletRequest request) {
var oldSession = request.getSession(false);
if (oldSession != null) {
oldSession.invalidate();
}
var auth = UsernamePasswordAuthenticationToken.authenticated(
email, null, List.of(new SimpleGrantedAuthority("ROLE_" + role.toUpperCase())));
SecurityContext context = SecurityContextHolder.createEmptyContext();
context.setAuthentication(auth);
SecurityContextHolder.setContext(context);
request.getSession(true).setAttribute(
HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, context);
}
private UserResponse toUserResponse(UserAccount user) { private UserResponse toUserResponse(UserAccount user) {
return householdMemberRepository.findByUserEmailIgnoreCase(user.getEmail()) return householdMemberRepository.findByUserEmailIgnoreCase(user.getEmail())
.map(member -> UserResponse.withHousehold( .map(member -> UserResponse.withHousehold(

2
backend/src/main/java/com/recipeapp/auth/SecurityConfig.java
View File

@@ -24,11 +24,13 @@ public class SecurityConfig {
.authorizeHttpRequests(auth -> auth .authorizeHttpRequests(auth -> auth
.requestMatchers("/v1/auth/signup", "/v1/auth/login").permitAll() .requestMatchers("/v1/auth/signup", "/v1/auth/login").permitAll()
.requestMatchers("/swagger-ui/**", "/v3/api-docs/**").permitAll() .requestMatchers("/swagger-ui/**", "/v3/api-docs/**").permitAll()
.requestMatchers("/v1/invites/**").permitAll()
.requestMatchers("/v1/admin/**").hasAuthority("ROLE_ADMIN") .requestMatchers("/v1/admin/**").hasAuthority("ROLE_ADMIN")
.anyRequest().authenticated()) .anyRequest().authenticated())
.exceptionHandling(ex -> ex .exceptionHandling(ex -> ex
.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))) .authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)))
.sessionManagement(session -> session .sessionManagement(session -> session
.sessionFixation().changeSessionId()
.maximumSessions(1)); .maximumSessions(1));
return http.build(); return http.build();

21
backend/src/main/java/com/recipeapp/household/HouseholdController.java
View File

@@ -1,7 +1,9 @@
package com.recipeapp.household; package com.recipeapp.household;
import com.recipeapp.auth.AuthService;
import com.recipeapp.common.ApiResponse; import com.recipeapp.common.ApiResponse;
import com.recipeapp.household.dto.*; import com.recipeapp.household.dto.*;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.validation.Valid; import jakarta.validation.Valid;
import org.springframework.http.HttpStatus; import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity; import org.springframework.http.ResponseEntity;
@@ -17,9 +19,11 @@ import java.util.UUID;
public class HouseholdController { public class HouseholdController {
private final HouseholdService householdService; private final HouseholdService householdService;
private final AuthService authService;
public HouseholdController(HouseholdService householdService) { public HouseholdController(HouseholdService householdService, AuthService authService) {
this.householdService = householdService; this.householdService = householdService;
this.authService = authService;
} }
@PostMapping("/households") @PostMapping("/households")
@@ -71,11 +75,20 @@ public class HouseholdController {
return ResponseEntity.ok(ApiResponse.success(response)); return ResponseEntity.ok(ApiResponse.success(response));
} }
@GetMapping("/invites/{code}")
public ResponseEntity<ApiResponse<InviteInfoResponse>> getInviteInfo(@PathVariable String code) {
InviteInfoResponse response = householdService.getInviteInfo(code);
return ResponseEntity.ok(ApiResponse.success(response));
}
@PostMapping("/invites/{code}/accept") @PostMapping("/invites/{code}/accept")
public ResponseEntity<ApiResponse<AcceptInviteResponse>> acceptInvite( public ResponseEntity<ApiResponse<AcceptInviteResponse>> acceptInvite(
Principal principal, @PathVariable String code,
@PathVariable String code) { @Valid @RequestBody AcceptInviteRequest request,
AcceptInviteResponse response = householdService.acceptInvite(principal.getName(), code); HttpServletRequest httpRequest) {
AcceptInviteResponse response = householdService.acceptInvite(
code, request.name(), request.email(), request.password());
authService.authenticateInSession(request.email(), "user", httpRequest);
return ResponseEntity.ok(ApiResponse.success(response)); return ResponseEntity.ok(ApiResponse.success(response));
} }
} }

54
backend/src/main/java/com/recipeapp/household/HouseholdService.java
View File

@@ -6,6 +6,7 @@ import com.recipeapp.common.ConflictException;
import com.recipeapp.common.ResourceNotFoundException; import com.recipeapp.common.ResourceNotFoundException;
import com.recipeapp.common.ValidationException; import com.recipeapp.common.ValidationException;
import com.recipeapp.household.dto.*; import com.recipeapp.household.dto.*;
import org.springframework.security.crypto.password.PasswordEncoder;
import com.recipeapp.household.entity.Household; import com.recipeapp.household.entity.Household;
import com.recipeapp.household.entity.HouseholdInvite; import com.recipeapp.household.entity.HouseholdInvite;
import com.recipeapp.household.entity.HouseholdMember; import com.recipeapp.household.entity.HouseholdMember;
@@ -38,6 +39,7 @@ public class HouseholdService {
private final IngredientCategoryRepository ingredientCategoryRepository; private final IngredientCategoryRepository ingredientCategoryRepository;
private final TagRepository tagRepository; private final TagRepository tagRepository;
private final VarietyScoreConfigRepository varietyScoreConfigRepository; private final VarietyScoreConfigRepository varietyScoreConfigRepository;
private final PasswordEncoder passwordEncoder;
@Value("${app.base-url}") @Value("${app.base-url}")
private String baseUrl; private String baseUrl;
@@ -52,7 +54,8 @@ public class HouseholdService {
IngredientRepository ingredientRepository, IngredientRepository ingredientRepository,
IngredientCategoryRepository ingredientCategoryRepository, IngredientCategoryRepository ingredientCategoryRepository,
TagRepository tagRepository, TagRepository tagRepository,
VarietyScoreConfigRepository varietyScoreConfigRepository) { VarietyScoreConfigRepository varietyScoreConfigRepository,
PasswordEncoder passwordEncoder) {
this.userAccountRepository = userAccountRepository; this.userAccountRepository = userAccountRepository;
this.householdRepository = householdRepository; this.householdRepository = householdRepository;
this.householdMemberRepository = householdMemberRepository; this.householdMemberRepository = householdMemberRepository;
@@ -61,6 +64,7 @@ public class HouseholdService {
this.ingredientCategoryRepository = ingredientCategoryRepository; this.ingredientCategoryRepository = ingredientCategoryRepository;
this.tagRepository = tagRepository; this.tagRepository = tagRepository;
this.varietyScoreConfigRepository = varietyScoreConfigRepository; this.varietyScoreConfigRepository = varietyScoreConfigRepository;
this.passwordEncoder = passwordEncoder;
} }
@Transactional @Transactional
@@ -161,37 +165,57 @@ public class HouseholdService {
householdInviteRepository.findByHouseholdIdAndInvalidatedAtIsNull(household.getId()) householdInviteRepository.findByHouseholdIdAndInvalidatedAtIsNull(household.getId())
.ifPresent(existing -> { .ifPresent(existing -> {
existing.setInvalidatedAt(Instant.now()); existing.setInvalidatedAt(Instant.now());
householdInviteRepository.save(existing); householdInviteRepository.saveAndFlush(existing);
}); });
String code = generateInviteCode(); String code = generateInviteCode();
Instant expiresAt = Instant.now().plusSeconds(48 * 3600); Instant expiresAt = Instant.now().plusSeconds(48 * 3600);
HouseholdInvite invite = householdInviteRepository.save( HouseholdInvite invite = new HouseholdInvite(household, code, expiresAt);
new HouseholdInvite(household, code, expiresAt)); invite.setInvitedBy(member.getUser());
householdInviteRepository.save(invite);
return toInviteResponse(invite); return toInviteResponse(invite);
} }
@Transactional @Transactional(readOnly = true)
public AcceptInviteResponse acceptInvite(String userEmail, String code) { public InviteInfoResponse getInviteInfo(String code) {
UserAccount user = findUser(userEmail); HouseholdInvite invite = householdInviteRepository.findByInviteCode(code)
.orElseThrow(() -> new ResourceNotFoundException("Invite not found or invalid"));
if (householdMemberRepository.findByUserEmailIgnoreCase(userEmail).isPresent()) { if ("used".equals(invite.getStatus())
throw new ConflictException("User is already in a household"); || invite.getInvalidatedAt() != null
|| invite.getExpiresAt().isBefore(Instant.now())) {
throw new ResourceNotFoundException("Invite not found or invalid");
}
String inviterName = invite.getInvitedBy() != null
? invite.getInvitedBy().getDisplayName()
: invite.getHousehold().getCreatedBy().getDisplayName();
return new InviteInfoResponse(invite.getHousehold().getName(), inviterName);
}
@Transactional
public AcceptInviteResponse acceptInvite(String code, String name, String email, String rawPassword) {
if (userAccountRepository.existsByEmailIgnoreCase(email)) {
throw new ConflictException("Email already registered");
} }
HouseholdInvite invite = householdInviteRepository.findByInviteCode(code) HouseholdInvite invite = householdInviteRepository.findByInviteCode(code)
.orElseThrow(() -> new ResourceNotFoundException("Invite not found")); .orElseThrow(() -> new ResourceNotFoundException("Invite not found or invalid"));
if ("used".equals(invite.getStatus())) { if ("used".equals(invite.getStatus())
throw new ConflictException("Invite code already used"); || invite.getInvalidatedAt() != null
} || invite.getExpiresAt().isBefore(Instant.now())) {
if (invite.getExpiresAt().isBefore(Instant.now())) { throw new ResourceNotFoundException("Invite not found or invalid");
throw new ValidationException("Invite code has expired");
} }
UserAccount user = userAccountRepository.save(
new UserAccount(email, name, passwordEncoder.encode(rawPassword)));
invite.setStatus("used"); invite.setStatus("used");
invite.setInvalidatedAt(Instant.now());
householdInviteRepository.save(invite); householdInviteRepository.save(invite);
Household household = invite.getHousehold(); Household household = invite.getHousehold();

11
backend/src/main/java/com/recipeapp/household/dto/AcceptInviteRequest.java Normal file
View File

@@ -0,0 +1,11 @@
package com.recipeapp.household.dto;
import jakarta.validation.constraints.Email;
import jakarta.validation.constraints.NotBlank;
import jakarta.validation.constraints.Size;
public record AcceptInviteRequest(
@NotBlank String name,
@NotBlank @Email String email,
@NotBlank @Size(min = 8) String password
) {}

6
backend/src/main/java/com/recipeapp/household/dto/InviteInfoResponse.java Normal file
View File

@@ -0,0 +1,6 @@
package com.recipeapp.household.dto;
public record InviteInfoResponse(
String householdName,
String inviterName
) {}

7
backend/src/main/java/com/recipeapp/household/entity/HouseholdInvite.java
View File

@@ -1,5 +1,6 @@
package com.recipeapp.household.entity; package com.recipeapp.household.entity;
import com.recipeapp.auth.entity.UserAccount;
import jakarta.persistence.*; import jakarta.persistence.*;
import java.time.Instant; import java.time.Instant;
import java.util.UUID; import java.util.UUID;
@@ -16,6 +17,10 @@ public class HouseholdInvite {
@JoinColumn(name = "household_id", nullable = false) @JoinColumn(name = "household_id", nullable = false)
private Household household; private Household household;
@ManyToOne(fetch = FetchType.LAZY)
@JoinColumn(name = "invited_by")
private UserAccount invitedBy;
@Column(name = "invite_code", nullable = false, unique = true, length = 20) @Column(name = "invite_code", nullable = false, unique = true, length = 20)
private String inviteCode; private String inviteCode;
@@ -38,6 +43,8 @@ public class HouseholdInvite {
public UUID getId() { return id; } public UUID getId() { return id; }
public Household getHousehold() { return household; } public Household getHousehold() { return household; }
public UserAccount getInvitedBy() { return invitedBy; }
public void setInvitedBy(UserAccount invitedBy) { this.invitedBy = invitedBy; }
public String getInviteCode() { return inviteCode; } public String getInviteCode() { return inviteCode; }
public String getStatus() { return status; } public String getStatus() { return status; }
public void setStatus(String status) { this.status = status; } public void setStatus(String status) { this.status = status; }

11
backend/src/main/resources/db/migration/V026__add_invite_invalidated_at.sql
View File

@@ -1,6 +1,17 @@
ALTER TABLE household_invite ALTER TABLE household_invite
ADD COLUMN invalidated_at timestamptz; ADD COLUMN invalidated_at timestamptz;
-- Mark all but the most-recent invite per household as invalidated,
-- so the unique partial index below can be created on dev databases
-- that accumulated multiple pending invites before this migration was added.
UPDATE household_invite
SET invalidated_at = NOW()
WHERE id NOT IN (
SELECT DISTINCT ON (household_id) id
FROM household_invite
ORDER BY household_id, expires_at DESC
);
CREATE UNIQUE INDEX uq_household_invite_active CREATE UNIQUE INDEX uq_household_invite_active
ON household_invite (household_id) ON household_invite (household_id)
WHERE invalidated_at IS NULL; WHERE invalidated_at IS NULL;

2
backend/src/main/resources/db/migration/V027__add_invite_invited_by.sql Normal file
View File

@@ -0,0 +1,2 @@
ALTER TABLE household_invite
ADD COLUMN invited_by uuid REFERENCES user_account (id) ON DELETE SET NULL;

22
backend/src/test/java/com/recipeapp/auth/AuthControllerTest.java
View File

@@ -10,19 +10,17 @@ import org.mockito.InjectMocks;
import org.mockito.Mock; import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension; import org.mockito.junit.jupiter.MockitoExtension;
import org.springframework.http.MediaType; import org.springframework.http.MediaType;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.setup.MockMvcBuilders; import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import java.util.UUID; import java.util.UUID;
import static org.hamcrest.Matchers.notNullValue;
import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.eq; import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when; import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.request;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@ExtendWith(MockitoExtension.class) @ExtendWith(MockitoExtension.class)
@@ -100,7 +98,7 @@ class AuthControllerTest {
} }
@Test @Test
void signupShouldStoreSecurityContextInSession() throws Exception { void signupShouldDelegateSessionCreationToAuthService() throws Exception {
var request = new SignupRequest("sarah@example.com", "s3cure!Pass", "Sarah"); var request = new SignupRequest("sarah@example.com", "s3cure!Pass", "Sarah");
var response = UserResponse.basic(UUID.randomUUID(), "sarah@example.com", "Sarah"); var response = UserResponse.basic(UUID.randomUUID(), "sarah@example.com", "Sarah");
@@ -109,14 +107,13 @@ class AuthControllerTest {
mockMvc.perform(post("/v1/auth/signup") mockMvc.perform(post("/v1/auth/signup")
.contentType(MediaType.APPLICATION_JSON) .contentType(MediaType.APPLICATION_JSON)
.content(objectMapper.writeValueAsString(request))) .content(objectMapper.writeValueAsString(request)))
.andExpect(status().isCreated()) .andExpect(status().isCreated());
.andExpect(request().sessionAttribute(
HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, verify(authService).authenticateInSession(eq("sarah@example.com"), eq("user"), any());
notNullValue()));
} }
@Test @Test
void loginShouldStoreSecurityContextInSession() throws Exception { void loginShouldDelegateSessionCreationToAuthService() throws Exception {
var request = new LoginRequest("sarah@example.com", "s3cure!Pass"); var request = new LoginRequest("sarah@example.com", "s3cure!Pass");
var response = UserResponse.withHousehold( var response = UserResponse.withHousehold(
UUID.randomUUID(), "sarah@example.com", "Sarah", UUID.randomUUID(), "sarah@example.com", "Sarah",
@@ -127,10 +124,9 @@ class AuthControllerTest {
mockMvc.perform(post("/v1/auth/login") mockMvc.perform(post("/v1/auth/login")
.contentType(MediaType.APPLICATION_JSON) .contentType(MediaType.APPLICATION_JSON)
.content(objectMapper.writeValueAsString(request))) .content(objectMapper.writeValueAsString(request)))
.andExpect(status().isOk()) .andExpect(status().isOk());
.andExpect(request().sessionAttribute(
HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, verify(authService).authenticateInSession(eq("sarah@example.com"), eq("user"), any());
notNullValue()));
} }
@Test @Test

51
backend/src/test/java/com/recipeapp/auth/SecurityConfigTest.java Normal file
View File

@@ -0,0 +1,51 @@
package com.recipeapp.auth;
import com.recipeapp.AbstractIntegrationTest;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import org.springframework.web.context.WebApplicationContext;
import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
class SecurityConfigTest extends AbstractIntegrationTest {
@Autowired
private WebApplicationContext context;
private MockMvc mockMvc;
@BeforeEach
void setUp() {
mockMvc = MockMvcBuilders.webAppContextSetup(context)
.apply(springSecurity())
.build();
}
@Test
void inviteInfoEndpointIsAccessibleWithoutAuthentication() throws Exception {
// 404 = unauthenticated request reached the service (ResourceNotFoundException), not 401
mockMvc.perform(get("/v1/invites/ANYCODE"))
.andExpect(status().isNotFound());
}
@Test
void inviteAcceptEndpointIsAccessibleWithoutAuthentication() throws Exception {
// 400 = validation error (empty body), but NOT 401 — proves the path is permitted
mockMvc.perform(post("/v1/invites/ANYCODE/accept")
.contentType(org.springframework.http.MediaType.APPLICATION_JSON)
.content("{}"))
.andExpect(status().isBadRequest());
}
@Test
void protectedEndpointRequiresAuthentication() throws Exception {
mockMvc.perform(get("/v1/households/mine"))
.andExpect(status().isUnauthorized());
}
}

65
backend/src/test/java/com/recipeapp/household/HouseholdControllerTest.java
View File

@@ -1,7 +1,10 @@
package com.recipeapp.household; package com.recipeapp.household;
import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.ObjectMapper;
import com.recipeapp.auth.AuthService;
import com.recipeapp.common.GlobalExceptionHandler; import com.recipeapp.common.GlobalExceptionHandler;
import com.recipeapp.common.ResourceNotFoundException;
import com.recipeapp.common.ConflictException;
import com.recipeapp.household.dto.*; import com.recipeapp.household.dto.*;
import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
@@ -34,6 +37,9 @@ class HouseholdControllerTest {
@Mock @Mock
private HouseholdService householdService; private HouseholdService householdService;
@Mock
private AuthService authService;
@InjectMocks @InjectMocks
private HouseholdController householdController; private HouseholdController householdController;
@@ -158,16 +164,67 @@ class HouseholdControllerTest {
} }
@Test @Test
void acceptInviteShouldReturn200() throws Exception { void getInviteInfoShouldReturn200WithHouseholdAndInviterName() throws Exception {
var response = new AcceptInviteResponse(UUID.randomUUID(), "Smith family", "member"); var response = new InviteInfoResponse("Smith family", "Sarah");
when(householdService.acceptInvite("tom@example.com", "ABC12XYZ")).thenReturn(response); when(householdService.getInviteInfo("ABC12XYZ")).thenReturn(response);
mockMvc.perform(get("/v1/invites/ABC12XYZ"))
.andExpect(status().isOk())
.andExpect(jsonPath("$.status").value("success"))
.andExpect(jsonPath("$.data.householdName").value("Smith family"))
.andExpect(jsonPath("$.data.inviterName").value("Sarah"));
}
@Test
void getInviteInfoShouldReturn404WhenInvalid() throws Exception {
when(householdService.getInviteInfo("BADTOKEN"))
.thenThrow(new ResourceNotFoundException("Invite not found or invalid"));
mockMvc.perform(get("/v1/invites/BADTOKEN"))
.andExpect(status().isNotFound());
}
@Test
void acceptInviteShouldReturn200AndCreateSession() throws Exception {
var response = new AcceptInviteResponse(UUID.randomUUID(), "Smith family", "member");
var request = new AcceptInviteRequest("Tom", "tom@example.com", "secret123");
when(householdService.acceptInvite("ABC12XYZ", "Tom", "tom@example.com", "secret123"))
.thenReturn(response);
mockMvc.perform(post("/v1/invites/ABC12XYZ/accept") mockMvc.perform(post("/v1/invites/ABC12XYZ/accept")
.principal(() -> "tom@example.com")) .contentType(MediaType.APPLICATION_JSON)
.content(objectMapper.writeValueAsString(request)))
.andExpect(status().isOk()) .andExpect(status().isOk())
.andExpect(jsonPath("$.status").value("success")) .andExpect(jsonPath("$.status").value("success"))
.andExpect(jsonPath("$.data.householdName").value("Smith family")) .andExpect(jsonPath("$.data.householdName").value("Smith family"))
.andExpect(jsonPath("$.data.role").value("member")); .andExpect(jsonPath("$.data.role").value("member"));
} }
@Test
void acceptInviteShouldReturn409WhenEmailAlreadyRegistered() throws Exception {
var request = new AcceptInviteRequest("Tom", "tom@example.com", "secret123");
when(householdService.acceptInvite("ABC12XYZ", "Tom", "tom@example.com", "secret123"))
.thenThrow(new ConflictException("Email already registered"));
mockMvc.perform(post("/v1/invites/ABC12XYZ/accept")
.contentType(MediaType.APPLICATION_JSON)
.content(objectMapper.writeValueAsString(request)))
.andExpect(status().isConflict());
}
@Test
void acceptInviteShouldReturn404WhenTokenInvalid() throws Exception {
var request = new AcceptInviteRequest("Tom", "tom@example.com", "secret123");
when(householdService.acceptInvite("BADTOKEN", "Tom", "tom@example.com", "secret123"))
.thenThrow(new ResourceNotFoundException("Invite not found or invalid"));
mockMvc.perform(post("/v1/invites/BADTOKEN/accept")
.contentType(MediaType.APPLICATION_JSON)
.content(objectMapper.writeValueAsString(request)))
.andExpect(status().isNotFound());
}
} }

149
backend/src/test/java/com/recipeapp/household/HouseholdServiceTest.java
View File

@@ -41,6 +41,7 @@ class HouseholdServiceTest {
@Mock private IngredientCategoryRepository ingredientCategoryRepository; @Mock private IngredientCategoryRepository ingredientCategoryRepository;
@Mock private TagRepository tagRepository; @Mock private TagRepository tagRepository;
@Mock private VarietyScoreConfigRepository varietyScoreConfigRepository; @Mock private VarietyScoreConfigRepository varietyScoreConfigRepository;
@Mock private org.springframework.security.crypto.password.PasswordEncoder passwordEncoder;
@InjectMocks @InjectMocks
private HouseholdService householdService; private HouseholdService householdService;
@@ -154,86 +155,150 @@ class HouseholdServiceTest {
assertThat(result.shareUrl()).endsWith(result.inviteCode()); assertThat(result.shareUrl()).endsWith(result.inviteCode());
} }
// ── getInviteInfo ─────────────────────────────────────────────────────────
@Test @Test
void acceptInviteShouldAddUserAsMember() { void getInviteInfoShouldReturnHouseholdNameAndInviterName() {
var user = new UserAccount("tom@example.com", "Tom", "hashed");
var owner = testUser(); var owner = testUser();
var household = new Household("Smith family", owner); var household = new Household("Smith family", owner);
var invite = new HouseholdInvite(household, "ABC12XYZ", Instant.now().plusSeconds(86400)); var invite = new HouseholdInvite(household, "ABC12XYZ", Instant.now().plusSeconds(86400));
invite.setInvitedBy(owner);
when(userAccountRepository.findByEmailIgnoreCase("tom@example.com")).thenReturn(Optional.of(user));
when(householdMemberRepository.findByUserEmailIgnoreCase("tom@example.com")).thenReturn(Optional.empty());
when(householdInviteRepository.findByInviteCode("ABC12XYZ")).thenReturn(Optional.of(invite)); when(householdInviteRepository.findByInviteCode("ABC12XYZ")).thenReturn(Optional.of(invite));
when(householdMemberRepository.save(any(HouseholdMember.class))).thenAnswer(i -> i.getArgument(0));
AcceptInviteResponse result = householdService.acceptInvite("tom@example.com", "ABC12XYZ"); InviteInfoResponse result = householdService.getInviteInfo("ABC12XYZ");
assertThat(result.householdName()).isEqualTo("Smith family"); assertThat(result.householdName()).isEqualTo("Smith family");
assertThat(result.role()).isEqualTo("member"); assertThat(result.inviterName()).isEqualTo("Sarah");
} }
@Test @Test
void acceptInviteShouldThrowWhenAlreadyInHousehold() { void getInviteInfoShouldThrow404WhenCodeNotFound() {
var user = new UserAccount("tom@example.com", "Tom", "hashed"); when(householdInviteRepository.findByInviteCode("INVALID")).thenReturn(Optional.empty());
var household = new Household("Other", user);
var member = new HouseholdMember(household, user, "member"); assertThatThrownBy(() -> householdService.getInviteInfo("INVALID"))
.isInstanceOf(ResourceNotFoundException.class);
}
@Test
void getInviteInfoShouldThrow404WhenCodeExpired() {
var owner = testUser();
var household = new Household("Smith family", owner);
var invite = new HouseholdInvite(household, "EXPIRED", Instant.now().minusSeconds(3600));
invite.setInvitedBy(owner);
when(householdInviteRepository.findByInviteCode("EXPIRED")).thenReturn(Optional.of(invite));
assertThatThrownBy(() -> householdService.getInviteInfo("EXPIRED"))
.isInstanceOf(ResourceNotFoundException.class);
}
@Test
void getInviteInfoShouldThrow404WhenCodeAlreadyUsed() {
var owner = testUser();
var household = new Household("Smith family", owner);
var invite = new HouseholdInvite(household, "USED123", Instant.now().plusSeconds(86400));
invite.setStatus("used");
invite.setInvitedBy(owner);
when(householdInviteRepository.findByInviteCode("USED123")).thenReturn(Optional.of(invite));
assertThatThrownBy(() -> householdService.getInviteInfo("USED123"))
.isInstanceOf(ResourceNotFoundException.class);
}
@Test
void getInviteInfoShouldThrow404WhenInviteIsInvalidated() {
var owner = testUser();
var household = new Household("Smith family", owner);
var invite = new HouseholdInvite(household, "SUPERSEDED", Instant.now().plusSeconds(86400));
invite.setInvitedBy(owner);
invite.setInvalidatedAt(Instant.now()); // superseded by a new invite
when(householdInviteRepository.findByInviteCode("SUPERSEDED")).thenReturn(Optional.of(invite));
assertThatThrownBy(() -> householdService.getInviteInfo("SUPERSEDED"))
.isInstanceOf(ResourceNotFoundException.class);
}
// ── acceptInvite (new: creates account + joins) ───────────────────────────
@Test
void acceptInviteShouldCreateAccountAndAddAsMember() {
var owner = testUser();
var household = new Household("Smith family", owner);
var invite = new HouseholdInvite(household, "ABC12XYZ", Instant.now().plusSeconds(86400)); var invite = new HouseholdInvite(household, "ABC12XYZ", Instant.now().plusSeconds(86400));
invite.setInvitedBy(owner);
when(userAccountRepository.findByEmailIgnoreCase("tom@example.com")).thenReturn(Optional.of(user)); when(userAccountRepository.existsByEmailIgnoreCase("tom@example.com")).thenReturn(false);
when(householdMemberRepository.findByUserEmailIgnoreCase("tom@example.com")).thenReturn(Optional.of(member)); when(householdInviteRepository.findByInviteCode("ABC12XYZ")).thenReturn(Optional.of(invite));
when(userAccountRepository.save(any(UserAccount.class))).thenAnswer(i -> i.getArgument(0));
when(householdMemberRepository.save(any(HouseholdMember.class))).thenAnswer(i -> i.getArgument(0));
when(passwordEncoder.encode("secret123")).thenReturn("hashed");
assertThatThrownBy(() -> householdService.acceptInvite("tom@example.com", "ABC12XYZ")) AcceptInviteResponse result = householdService.acceptInvite("ABC12XYZ", "Tom", "tom@example.com", "secret123");
assertThat(result.householdName()).isEqualTo("Smith family");
assertThat(result.role()).isEqualTo("member");
verify(userAccountRepository).save(any(UserAccount.class));
verify(householdMemberRepository).save(any(HouseholdMember.class));
}
@Test
void acceptInviteShouldThrow409WhenEmailAlreadyRegistered() {
when(userAccountRepository.existsByEmailIgnoreCase("tom@example.com")).thenReturn(true);
assertThatThrownBy(() -> householdService.acceptInvite("ABC12XYZ", "Tom", "tom@example.com", "secret123"))
.isInstanceOf(ConflictException.class); .isInstanceOf(ConflictException.class);
} }
@Test @Test
void acceptInviteShouldThrowWhenCodeExpired() { void acceptInviteShouldThrow404WhenCodeExpired() {
var user = new UserAccount("tom@example.com", "Tom", "hashed");
var owner = testUser(); var owner = testUser();
var household = new Household("Smith family", owner); var household = new Household("Smith family", owner);
var invite = new HouseholdInvite(household, "EXPIRED", Instant.now().minusSeconds(3600)); var invite = new HouseholdInvite(household, "EXPIRED", Instant.now().minusSeconds(3600));
when(userAccountRepository.findByEmailIgnoreCase("tom@example.com")).thenReturn(Optional.of(user)); when(userAccountRepository.existsByEmailIgnoreCase("tom@example.com")).thenReturn(false);
when(householdMemberRepository.findByUserEmailIgnoreCase("tom@example.com")).thenReturn(Optional.empty());
when(householdInviteRepository.findByInviteCode("EXPIRED")).thenReturn(Optional.of(invite)); when(householdInviteRepository.findByInviteCode("EXPIRED")).thenReturn(Optional.of(invite));
assertThatThrownBy(() -> householdService.acceptInvite("tom@example.com", "EXPIRED")) assertThatThrownBy(() -> householdService.acceptInvite("EXPIRED", "Tom", "tom@example.com", "secret123"))
.isInstanceOf(ValidationException.class); .isInstanceOf(ResourceNotFoundException.class);
} }
@Test @Test
void acceptInviteShouldThrowWhenCodeAlreadyUsed() { void acceptInviteShouldThrow404WhenCodeAlreadyUsed() {
var user = new UserAccount("tom@example.com", "Tom", "hashed");
var owner = testUser(); var owner = testUser();
var household = new Household("Smith family", owner); var household = new Household("Smith family", owner);
var invite = new HouseholdInvite(household, "USED123", Instant.now().plusSeconds(86400)); var invite = new HouseholdInvite(household, "USED123", Instant.now().plusSeconds(86400));
invite.setStatus("used"); invite.setStatus("used");
when(userAccountRepository.findByEmailIgnoreCase("tom@example.com")).thenReturn(Optional.of(user)); when(userAccountRepository.existsByEmailIgnoreCase("tom@example.com")).thenReturn(false);
when(householdMemberRepository.findByUserEmailIgnoreCase("tom@example.com")).thenReturn(Optional.empty());
when(householdInviteRepository.findByInviteCode("USED123")).thenReturn(Optional.of(invite)); when(householdInviteRepository.findByInviteCode("USED123")).thenReturn(Optional.of(invite));
assertThatThrownBy(() -> householdService.acceptInvite("tom@example.com", "USED123")) assertThatThrownBy(() -> householdService.acceptInvite("USED123", "Tom", "tom@example.com", "secret123"))
.isInstanceOf(ConflictException.class);
}
@Test
void acceptInviteShouldThrowWhenInviteNotFound() {
var user = new UserAccount("tom@example.com", "Tom", "hashed");
when(userAccountRepository.findByEmailIgnoreCase("tom@example.com")).thenReturn(Optional.of(user));
when(householdMemberRepository.findByUserEmailIgnoreCase("tom@example.com")).thenReturn(Optional.empty());
when(householdInviteRepository.findByInviteCode("INVALID")).thenReturn(Optional.empty());
assertThatThrownBy(() -> householdService.acceptInvite("tom@example.com", "INVALID"))
.isInstanceOf(ResourceNotFoundException.class); .isInstanceOf(ResourceNotFoundException.class);
} }
@Test @Test
void acceptInviteShouldThrowWhenUserNotFound() { void acceptInviteShouldThrow404WhenInviteNotFound() {
when(userAccountRepository.findByEmailIgnoreCase("unknown@example.com")).thenReturn(Optional.empty()); when(userAccountRepository.existsByEmailIgnoreCase("tom@example.com")).thenReturn(false);
when(householdInviteRepository.findByInviteCode("INVALID")).thenReturn(Optional.empty());
assertThatThrownBy(() -> householdService.acceptInvite("unknown@example.com", "ABC12XYZ")) assertThatThrownBy(() -> householdService.acceptInvite("INVALID", "Tom", "tom@example.com", "secret123"))
.isInstanceOf(ResourceNotFoundException.class);
}
@Test
void acceptInviteShouldThrow404WhenInviteIsInvalidated() {
var owner = testUser();
var household = new Household("Smith family", owner);
var invite = new HouseholdInvite(household, "SUPERSEDED", Instant.now().plusSeconds(86400));
invite.setInvalidatedAt(Instant.now()); // superseded by a new invite
when(userAccountRepository.existsByEmailIgnoreCase("tom@example.com")).thenReturn(false);
when(householdInviteRepository.findByInviteCode("SUPERSEDED")).thenReturn(Optional.of(invite));
assertThatThrownBy(() -> householdService.acceptInvite("SUPERSEDED", "Tom", "tom@example.com", "secret123"))
.isInstanceOf(ResourceNotFoundException.class); .isInstanceOf(ResourceNotFoundException.class);
} }
@@ -470,11 +535,13 @@ class HouseholdServiceTest {
when(householdMemberRepository.findByUserEmailIgnoreCase("sarah@example.com")).thenReturn(Optional.of(member)); when(householdMemberRepository.findByUserEmailIgnoreCase("sarah@example.com")).thenReturn(Optional.of(member));
when(householdInviteRepository.findByHouseholdIdAndInvalidatedAtIsNull(any())).thenReturn(Optional.of(existingInvite)); when(householdInviteRepository.findByHouseholdIdAndInvalidatedAtIsNull(any())).thenReturn(Optional.of(existingInvite));
when(householdInviteRepository.saveAndFlush(any(HouseholdInvite.class))).thenAnswer(i -> i.getArgument(0));
when(householdInviteRepository.save(any(HouseholdInvite.class))).thenAnswer(i -> i.getArgument(0)); when(householdInviteRepository.save(any(HouseholdInvite.class))).thenAnswer(i -> i.getArgument(0));
householdService.createInvite("sarah@example.com"); householdService.createInvite("sarah@example.com");
assertThat(existingInvite.getInvalidatedAt()).isNotNull(); assertThat(existingInvite.getInvalidatedAt()).isNotNull();
verify(householdInviteRepository, times(2)).save(any(HouseholdInvite.class)); verify(householdInviteRepository).saveAndFlush(existingInvite);
verify(householdInviteRepository).save(any(HouseholdInvite.class));
} }
} }

13
frontend/src/hooks.server.test.ts
View File

@@ -42,7 +42,7 @@ describe('auth guard (hooks.server.ts handle)', () => {
expect(resolve).toHaveBeenCalledWith(event); expect(resolve).toHaveBeenCalledWith(event);
}); });
it.each(['/login', '/login/', '/register', '/signup', '/signup/', '/invite/abc123'])( it.each(['/login', '/login/', '/register', '/signup', '/signup/', '/invite/abc123', '/join/ABC12XYZ'])(
'allows public route %s without auth', 'allows public route %s without auth',
async (path) => { async (path) => {
const { event, resolve } = createEvent(path); const { event, resolve } = createEvent(path);
@@ -51,6 +51,17 @@ describe('auth guard (hooks.server.ts handle)', () => {
} }
); );
it('redirects authenticated user on /join/[token] to /', async () => {
const { event, resolve } = createEvent('/join/ABC12XYZ', 'valid-session');
try {
await handle({ event, resolve });
expect.unreachable();
} catch (e: any) {
expect(e.status).toBe(302);
expect(e.location).toBe('/');
}
});
it.each(['/_app/immutable/chunks/app.js', '/favicon.ico'])( it.each(['/_app/immutable/chunks/app.js', '/favicon.ico'])(
'allows static asset %s without auth', 'allows static asset %s without auth',
async (path) => { async (path) => {

6
frontend/src/hooks.server.ts
View File

@@ -2,7 +2,7 @@ import type { Handle } from '@sveltejs/kit';
import { redirect } from '@sveltejs/kit'; import { redirect } from '@sveltejs/kit';
import { apiClient } from '$lib/server/api'; import { apiClient } from '$lib/server/api';
const PUBLIC_ROUTES = ['/login', '/register', '/signup', '/invite']; const PUBLIC_ROUTES = ['/login', '/register', '/signup', '/invite', '/join'];
const STATIC_PREFIXES = ['/_app/', '/favicon']; const STATIC_PREFIXES = ['/_app/', '/favicon'];
@@ -20,6 +20,10 @@ function loginRedirect(pathname: string): never {
export const handle: Handle = async ({ event, resolve }) => { export const handle: Handle = async ({ event, resolve }) => {
if (isPublicRoute(event.url.pathname)) { if (isPublicRoute(event.url.pathname)) {
const isJoinRoute = event.url.pathname.startsWith('/join/');
if (isJoinRoute && event.cookies.get('JSESSIONID')) {
throw redirect(302, '/');
}
return resolve(event); return resolve(event);
} }

73
frontend/src/lib/api/schema.d.ts vendored
View File

@@ -148,6 +148,22 @@ export interface paths {
patch?: never; patch?: never;
trace?: never; trace?: never;
}; };
"/v1/invites/{code}": {
parameters: {
query?: never;
header?: never;
path?: never;
cookie?: never;
};
get: operations["getInviteInfo"];
put?: never;
post?: never;
delete?: never;
options?: never;
head?: never;
patch?: never;
trace?: never;
};
"/v1/invites/{code}/accept": { "/v1/invites/{code}/accept": {
parameters: { parameters: {
query?: never; query?: never;
@@ -739,6 +755,20 @@ export interface components {
data?: components["schemas"]["AcceptInviteResponse"]; data?: components["schemas"]["AcceptInviteResponse"];
meta?: components["schemas"]["Meta"]; meta?: components["schemas"]["Meta"];
}; };
InviteInfoResponse: {
householdName?: string;
inviterName?: string;
};
ApiResponseInviteInfoResponse: {
status?: string;
data?: components["schemas"]["InviteInfoResponse"];
meta?: components["schemas"]["Meta"];
};
AcceptInviteRequest: {
name: string;
email: string;
password: string;
};
Meta: { Meta: {
pagination?: components["schemas"]["Pagination"]; pagination?: components["schemas"]["Pagination"];
}; };
@@ -1345,7 +1375,7 @@ export interface operations {
}; };
}; };
}; };
acceptInvite: { getInviteInfo: {
parameters: { parameters: {
query?: never; query?: never;
header?: never; header?: never;
@@ -1355,6 +1385,37 @@ export interface operations {
cookie?: never; cookie?: never;
}; };
requestBody?: never; requestBody?: never;
responses: {
/** @description OK */
200: {
headers: {
[name: string]: unknown;
};
content: {
"*/*": components["schemas"]["ApiResponseInviteInfoResponse"];
};
};
/** @description Not found */
404: {
headers: { [name: string]: unknown };
content: { "*/*": components["schemas"]["ApiError"] };
};
};
};
acceptInvite: {
parameters: {
query?: never;
header?: never;
path: {
code: string;
};
cookie?: never;
};
requestBody: {
content: {
"application/json": components["schemas"]["AcceptInviteRequest"];
};
};
responses: { responses: {
/** @description OK */ /** @description OK */
200: { 200: {
@@ -1365,6 +1426,16 @@ export interface operations {
"*/*": components["schemas"]["ApiResponseAcceptInviteResponse"]; "*/*": components["schemas"]["ApiResponseAcceptInviteResponse"];
}; };
}; };
/** @description Email already registered */
409: {
headers: { [name: string]: unknown };
content: { "*/*": components["schemas"]["ApiError"] };
};
/** @description Invite not found or invalid */
404: {
headers: { [name: string]: unknown };
content: { "*/*": components["schemas"]["ApiError"] };
};
}; };
}; };
listCategories: { listCategories: {

84
frontend/src/routes/(public)/join/[token]/+page.server.ts Normal file
View File

@@ -0,0 +1,84 @@
import { fail, redirect } from '@sveltejs/kit';
import { dev } from '$app/environment';
import { apiClient } from '$lib/server/api';
import type { Actions, PageServerLoad } from './$types';
export const load: PageServerLoad = async ({ params, fetch }) => {
const api = apiClient(fetch);
const { data, error } = await api.GET('/v1/invites/{code}', {
params: { path: { code: params.token } }
});
if (error || !data?.data) {
return { invalid: true };
}
return {
invalid: false,
householdName: data.data.householdName ?? '',
inviterName: data.data.inviterName ?? ''
};
};
export const actions = {
default: async ({ params, request, fetch, cookies }) => {
const formData = await request.formData();
const name = (formData.get('name') ?? '').toString().trim();
const email = (formData.get('email') ?? '').toString().trim();
const password = (formData.get('password') ?? '').toString();
const errors: Record<string, string> = {};
if (!name) {
errors.name = 'Name ist erforderlich';
}
const emailPattern = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
if (!emailPattern.test(email)) {
errors.email = 'Ungültige E-Mail-Adresse';
}
if (password.length < 8) {
errors.password = 'Mindestens 8 Zeichen';
}
if (Object.keys(errors).length > 0) {
return fail(400, { errors, name, email });
}
const api = apiClient(fetch);
const { error, response } = await api.POST('/v1/invites/{code}/accept', {
params: { path: { code: params.token } },
body: { name, email, password }
});
if (error) {
if (error.status === 409) {
return fail(409, {
errors: {
email: 'Diese E-Mail-Adresse ist bereits registriert. Anmelden →'
},
name,
email
});
}
return fail(400, {
errors: { form: 'Einladung ungültig oder abgelaufen.' },
name,
email
});
}
const sessionId = response?.headers.get('set-cookie')?.match(/JSESSIONID=([^;]+)/i)?.[1];
if (sessionId) {
cookies.set('JSESSIONID', sessionId, {
path: '/',
httpOnly: true,
sameSite: 'lax',
secure: !dev
});
}
redirect(303, '/');
}
} satisfies Actions;

46
frontend/src/routes/(public)/join/[token]/+page.svelte Normal file
View File

@@ -0,0 +1,46 @@
<script lang="ts">
import type { PageData, ActionData } from './$types';
import HouseholdIdentityPanel from './HouseholdIdentityPanel.svelte';
import JoinForm from './JoinForm.svelte';
let { data, form }: { data: PageData; form: ActionData } = $props();
</script>
<svelte:head>
<title>Haushalt beitreten — Mealplan</title>
</svelte:head>
{#if data.invalid}
<div class="flex min-h-screen items-center justify-center bg-[var(--color-page)] px-6">
<div class="text-center">
<h1 class="font-[var(--font-display)] text-[22px] font-semibold tracking-[-0.02em] text-[var(--color-text)]">
Einladung ungültig oder abgelaufen
</h1>
<p class="mt-3 font-[var(--font-sans)] text-[14px] text-[var(--color-text-muted)]">
Bitte bitte den Einladenden, einen neuen Link zu senden.
</p>
</div>
</div>
{:else}
<!-- Mobile layout (< 1024px): stacked banner + form -->
<!-- Desktop layout (≥ 1024px): two-column side by side -->
<div class="flex min-h-screen flex-col lg:flex-row">
<!-- Left / top: green-tint panel -->
<div class="bg-[var(--green-dark)] p-6 lg:flex lg:w-[400px] lg:flex-shrink-0 lg:items-center lg:justify-center lg:p-12">
<HouseholdIdentityPanel
householdName={data.householdName ?? ''}
inviterName={data.inviterName ?? ''}
/>
</div>
<!-- Right / bottom: form -->
<div class="flex flex-1 items-center justify-center bg-[var(--color-page)] p-6 lg:p-12">
<div class="w-full max-w-sm">
<h1 class="mb-6 font-[var(--font-display)] text-[22px] font-semibold tracking-[-0.02em] text-[var(--color-text)]">
Konto erstellen & beitreten
</h1>
<JoinForm {form} />
</div>
</div>
</div>
{/if}

41
frontend/src/routes/(public)/join/[token]/HouseholdIdentityPanel.svelte Normal file
View File

@@ -0,0 +1,41 @@
<script lang="ts">
let { householdName, inviterName }: { householdName: string; inviterName: string } = $props();
</script>
<div class="flex flex-col items-center gap-4 rounded-[var(--radius-xl)] bg-[var(--green-dark)] p-6 text-center">
<!-- App logo -->
<span class="text-[48px]" aria-hidden="true">🥗</span>
<!-- Household name -->
<div>
<h2
class="font-[var(--font-display)] text-[22px] font-semibold tracking-[-0.02em] text-white"
>
{householdName}
</h2>
<p class="mt-1 font-[var(--font-sans)] text-[12px] text-[var(--green-light)]">
Eingeladen von {inviterName}
</p>
</div>
<!-- Permissions info box -->
<div class="w-full rounded-xl bg-white/10 px-4 py-3 text-left">
<p class="mb-2 font-[var(--font-sans)] text-[11px] font-medium uppercase tracking-wide text-[var(--green-light)]">
Als Mitglied kannst du
</p>
<ul aria-label="Als Mitglied kannst du" class="flex flex-col gap-1.5">
<li class="flex items-center gap-2 font-[var(--font-sans)] text-[13px] text-white">
<span class="font-semibold text-[var(--green-light)]" aria-hidden="true"></span>
Wochenplan einsehen
</li>
<li class="flex items-center gap-2 font-[var(--font-sans)] text-[13px] text-white">
<span class="font-semibold text-[var(--green-light)]" aria-hidden="true"></span>
Einkaufsliste abhaken
</li>
<li class="flex items-center gap-2 font-[var(--font-sans)] text-[13px] text-white">
<span class="font-semibold text-[var(--green-light)]" aria-hidden="true"></span>
Artikel zur Liste hinzufügen
</li>
</ul>
</div>
</div>

41
frontend/src/routes/(public)/join/[token]/HouseholdIdentityPanel.test.ts Normal file
View File

@@ -0,0 +1,41 @@
import { describe, it, expect } from 'vitest';
import { render, screen } from '@testing-library/svelte';
import HouseholdIdentityPanel from './HouseholdIdentityPanel.svelte';
describe('HouseholdIdentityPanel', () => {
it('renders household name', () => {
render(HouseholdIdentityPanel, {
props: { householdName: 'Smith family', inviterName: 'Sarah' }
});
expect(screen.getByText('Smith family')).toBeInTheDocument();
});
it('renders inviter name', () => {
render(HouseholdIdentityPanel, {
props: { householdName: 'Smith family', inviterName: 'Sarah' }
});
expect(screen.getByText(/Sarah/)).toBeInTheDocument();
});
it('renders all three member permissions', () => {
render(HouseholdIdentityPanel, {
props: { householdName: 'Smith family', inviterName: 'Sarah' }
});
expect(screen.getByText(/Wochenplan/i)).toBeInTheDocument();
expect(screen.getByText(/Einkaufsliste/i)).toBeInTheDocument();
});
it('renders app logo', () => {
render(HouseholdIdentityPanel, {
props: { householdName: 'Smith family', inviterName: 'Sarah' }
});
expect(screen.getByText('🥗')).toBeInTheDocument();
});
it('permissions list has accessible name', () => {
render(HouseholdIdentityPanel, {
props: { householdName: 'Smith family', inviterName: 'Sarah' }
});
expect(screen.getByRole('list', { name: /als mitglied kannst du/i })).toBeInTheDocument();
});
});

113
frontend/src/routes/(public)/join/[token]/JoinForm.svelte Normal file
View File

@@ -0,0 +1,113 @@
<script lang="ts">
import { enhance } from '$app/forms';
type FormData = {
errors?: Record<string, string>;
name?: string;
email?: string;
} | null;
let { form = null }: { form?: FormData } = $props();
let showPassword = $state(false);
</script>
<form method="POST" use:enhance>
<!-- Form-level error -->
{#if form?.errors?.form}
<p
class="mb-4 rounded-[var(--radius-md)] bg-[color-mix(in_srgb,var(--color-error),transparent_90%)] px-[12px] py-[10px] font-[var(--font-sans)] text-[12px] text-[var(--color-error)]"
>
{form.errors.form}
</p>
{/if}
<!-- Name field -->
<div class="mb-4">
<label
for="name"
class="mb-[6px] block font-[var(--font-sans)] text-[12px] font-medium text-[var(--color-text)]"
>
Name
</label>
<input
type="text"
id="name"
name="name"
autocomplete="given-name"
value={form?.name ?? ''}
class="w-full rounded-[var(--radius-md)] border border-[var(--color-border)] bg-[var(--color-page)] px-[12px] py-[10px] font-[var(--font-sans)] text-[14px] text-[var(--color-text)] outline-none
{form?.errors?.name ? 'border-[var(--color-error)]' : ''}"
/>
{#if form?.errors?.name}
<p class="mt-1 font-[var(--font-sans)] text-[12px] text-[var(--color-error)]">
{form.errors.name}
</p>
{/if}
</div>
<!-- Email field -->
<div class="mb-4">
<label
for="email"
class="mb-[6px] block font-[var(--font-sans)] text-[12px] font-medium text-[var(--color-text)]"
>
E-Mail
</label>
<input
type="email"
id="email"
name="email"
autocomplete="email"
value={form?.email ?? ''}
class="w-full rounded-[var(--radius-md)] border border-[var(--color-border)] bg-[var(--color-page)] px-[12px] py-[10px] font-[var(--font-sans)] text-[14px] text-[var(--color-text)] outline-none
{form?.errors?.email ? 'border-[var(--color-error)]' : ''}"
/>
{#if form?.errors?.email}
<p class="mt-1 font-[var(--font-sans)] text-[12px] text-[var(--color-error)]">
{form.errors.email}
</p>
{/if}
</div>
<!-- Password field -->
<div class="mb-6">
<label
for="password"
class="mb-[6px] block font-[var(--font-sans)] text-[12px] font-medium text-[var(--color-text)]"
>
Passwort
</label>
<div class="relative">
<input
type={showPassword ? 'text' : 'password'}
id="password"
name="password"
autocomplete="new-password"
class="w-full rounded-[var(--radius-md)] border border-[var(--color-border)] bg-[var(--color-page)] px-[12px] py-[10px] pr-[80px] font-[var(--font-sans)] text-[14px] text-[var(--color-text)] outline-none
{form?.errors?.password ? 'border-[var(--color-error)]' : ''}"
/>
<button
type="button"
onclick={() => (showPassword = !showPassword)}
aria-label={showPassword ? 'Passwort verbergen' : 'Passwort anzeigen'}
class="absolute top-1/2 right-[12px] -translate-y-1/2 cursor-pointer bg-transparent p-0 font-[var(--font-sans)] text-[12px] text-[var(--color-text-muted)]"
>
{showPassword ? 'Verbergen' : 'Anzeigen'}
</button>
</div>
{#if form?.errors?.password}
<p class="mt-1 font-[var(--font-sans)] text-[12px] text-[var(--color-error)]">
{form.errors.password}
</p>
{/if}
</div>
<!-- Submit button -->
<button
type="submit"
class="w-full cursor-pointer rounded-[var(--radius-md)] bg-[var(--green-dark)] px-[24px] py-[12px] font-[var(--font-sans)] text-[var(--btn-font-size)] font-[var(--btn-font-weight)] tracking-[var(--btn-letter-spacing)] text-white"
>
Haushalt beitreten
</button>
</form>

83
frontend/src/routes/(public)/join/[token]/JoinForm.test.ts Normal file
View File

@@ -0,0 +1,83 @@
import { describe, it, expect, vi } from 'vitest';
import { render, screen } from '@testing-library/svelte';
import { userEvent } from '@testing-library/user-event';
import JoinForm from './JoinForm.svelte';
vi.mock('$app/forms', () => ({
enhance: () => ({ destroy: () => {} })
}));
describe('JoinForm', () => {
it('renders name, email and password fields', () => {
render(JoinForm);
expect(screen.getByLabelText('Name')).toBeInTheDocument();
expect(screen.getByLabelText('E-Mail')).toBeInTheDocument();
expect(screen.getByLabelText('Passwort')).toBeInTheDocument();
});
it('renders "Haushalt beitreten" submit button', () => {
render(JoinForm);
expect(screen.getByRole('button', { name: /Haushalt beitreten/i })).toBeInTheDocument();
});
it('password field is initially of type password', () => {
render(JoinForm);
expect(screen.getByLabelText('Passwort')).toHaveAttribute('type', 'password');
});
it('password toggle switches type to text', async () => {
const user = userEvent.setup();
render(JoinForm);
const toggle = screen.getByRole('button', { name: /passwort anzeigen/i });
await user.click(toggle);
expect(screen.getByLabelText('Passwort')).toHaveAttribute('type', 'text');
});
it('password toggle aria-label updates to "Passwort verbergen" when visible', async () => {
const user = userEvent.setup();
render(JoinForm);
const toggle = screen.getByRole('button', { name: /passwort anzeigen/i });
await user.click(toggle);
expect(screen.getByRole('button', { name: /passwort verbergen/i })).toBeInTheDocument();
});
it('shows form-level error from form prop', () => {
render(JoinForm, {
props: {
form: {
errors: { form: 'Einladung ungültig oder abgelaufen.' }
}
}
});
expect(screen.getByText('Einladung ungültig oder abgelaufen.')).toBeInTheDocument();
});
it('shows email-taken error with login link', () => {
render(JoinForm, {
props: {
form: {
errors: {
email: 'Diese E-Mail-Adresse ist bereits registriert. Anmelden →'
}
}
}
});
expect(screen.getByText(/bereits registriert/)).toBeInTheDocument();
});
it('pre-fills name and email from form prop', () => {
render(JoinForm, {
props: {
form: {
errors: {},
name: 'Tom',
email: 'tom@example.com'
}
}
});
expect(screen.getByLabelText('Name')).toHaveValue('Tom');
expect(screen.getByLabelText('E-Mail')).toHaveValue('tom@example.com');
});
});

202
frontend/src/routes/(public)/join/[token]/page.server.test.ts Normal file
View File

@@ -0,0 +1,202 @@
import { describe, it, expect, vi, beforeEach } from 'vitest';
vi.mock('$env/dynamic/private', () => ({
env: { BACKEND_URL: 'http://localhost:8080' }
}));
vi.mock('$app/environment', () => ({ dev: false }));
const mockGet = vi.fn();
const mockPost = vi.fn();
vi.mock('$lib/server/api', () => ({
apiClient: () => ({ GET: mockGet, POST: mockPost })
}));
describe('join page load function', () => {
let load: any;
beforeEach(async () => {
mockGet.mockReset();
vi.resetModules();
const mod = await import('./+page.server');
load = mod.load;
});
function createLoadEvent(token: string) {
return {
params: { token },
fetch: vi.fn()
} as any;
}
it('returns householdName and inviterName for valid token', async () => {
mockGet.mockResolvedValue({
data: { data: { householdName: 'Smith family', inviterName: 'Sarah' } },
error: undefined
});
const result = await load(createLoadEvent('ABC12XYZ'));
expect(result.invalid).toBeFalsy();
expect(result.householdName).toBe('Smith family');
expect(result.inviterName).toBe('Sarah');
});
it('returns invalid:true on 404 (expired/used/unknown token)', async () => {
mockGet.mockResolvedValue({
data: undefined,
error: { status: 404 }
});
const result = await load(createLoadEvent('BADTOKEN'));
expect(result.invalid).toBe(true);
});
});
describe('join page form action', () => {
let actions: any;
beforeEach(async () => {
mockPost.mockReset();
vi.resetModules();
const mod = await import('./+page.server');
actions = mod.actions;
});
function createRequest(token: string, formData: Record<string, string>) {
const fd = new FormData();
for (const [key, value] of Object.entries(formData)) {
fd.append(key, value);
}
return {
params: { token },
request: { formData: () => Promise.resolve(fd) },
fetch: vi.fn(),
cookies: { get: vi.fn(), set: vi.fn() }
} as any;
}
it('calls POST /v1/invites/{token}/accept with form data', async () => {
mockPost.mockResolvedValue({
data: { data: { householdName: 'Smith family', role: 'member' } },
error: undefined,
response: { headers: { get: vi.fn().mockReturnValue(null) } }
});
try {
await actions.default(createRequest('ABC12XYZ', {
name: 'Tom',
email: 'tom@example.com',
password: 'secret123'
}));
} catch {
// redirect throws
}
expect(mockPost).toHaveBeenCalledWith('/v1/invites/{code}/accept', {
params: { path: { code: 'ABC12XYZ' } },
body: { name: 'Tom', email: 'tom@example.com', password: 'secret123' }
});
});
it('sets JSESSIONID cookie and redirects to / on success', async () => {
mockPost.mockResolvedValue({
data: { data: { householdName: 'Smith family', role: 'member' } },
error: undefined,
response: {
headers: { get: vi.fn().mockReturnValue('JSESSIONID=abc123; Path=/; HttpOnly') }
}
});
const event = createRequest('ABC12XYZ', {
name: 'Tom',
email: 'tom@example.com',
password: 'secret123'
});
try {
await actions.default(event);
expect.unreachable();
} catch (e: any) {
expect(e.status).toBe(303);
expect(e.location).toBe('/');
}
expect(event.cookies.set).toHaveBeenCalledWith(
'JSESSIONID',
'abc123',
expect.objectContaining({ path: '/', secure: true })
);
});
it('returns 409 fail with email-taken message on conflict', async () => {
mockPost.mockResolvedValue({
data: undefined,
error: { status: 409 },
response: { headers: { get: vi.fn().mockReturnValue(null) } }
});
const result = await actions.default(createRequest('ABC12XYZ', {
name: 'Tom',
email: 'tom@example.com',
password: 'secret123'
}));
expect(result.status).toBe(409);
expect(result.data.errors.email).toContain('registriert');
});
it('returns 400 fail on invalid token (404 from backend)', async () => {
mockPost.mockResolvedValue({
data: undefined,
error: { status: 404 },
response: { headers: { get: vi.fn().mockReturnValue(null) } }
});
const result = await actions.default(createRequest('BADTOKEN', {
name: 'Tom',
email: 'tom@example.com',
password: 'secret123'
}));
expect(result.status).toBe(400);
expect(result.data.errors.form).toBeTruthy();
});
it('rejects empty name with validation error', async () => {
const result = await actions.default(createRequest('ABC12XYZ', {
name: '',
email: 'tom@example.com',
password: 'secret123'
}));
expect(result.status).toBe(400);
expect(result.data.errors.name).toBeTruthy();
expect(mockPost).not.toHaveBeenCalled();
});
it('rejects invalid email with validation error', async () => {
const result = await actions.default(createRequest('ABC12XYZ', {
name: 'Tom',
email: 'notanemail',
password: 'secret123'
}));
expect(result.status).toBe(400);
expect(result.data.errors.email).toBeTruthy();
expect(mockPost).not.toHaveBeenCalled();
});
it('rejects short password with validation error', async () => {
const result = await actions.default(createRequest('ABC12XYZ', {
name: 'Tom',
email: 'tom@example.com',
password: 'short'
}));
expect(result.status).toBe(400);
expect(result.data.errors.password).toBeTruthy();
expect(mockPost).not.toHaveBeenCalled();
});
});